Date post: | 20-Dec-2015 |
Category: |
Documents |
View: | 214 times |
Download: | 0 times |
X.509 at theX.509 at theUniversity of MichiganUniversity of Michigan
CIC-RPG Meeting June 7, 1999CIC-RPG Meeting June 7, 1999Kevin Coffman Kevin Coffman ([email protected])([email protected])
Bill Doster Bill Doster ([email protected])([email protected])
Project GoalsProject Goals
Transparent Web AuthenticationTransparent Web Authentication Eliminate password promptsEliminate password prompts Lotus Notes AuthenticationLotus Notes Authentication Position for inter-institution Position for inter-institution
AuthenticationAuthentication
Non-GoalsNon-Goals
Not a complete PKINot a complete PKI Not to be used for document Not to be used for document
signingsigning Not to be used for encryptionNot to be used for encryption Not a complete replacement of the Not a complete replacement of the
current cookie methodcurrent cookie method
Why X.509?Why X.509?
An accepted standardAn accepted standard Application support out of the boxApplication support out of the box
– Web servers, web browsers, directory Web servers, web browsers, directory servers, IMAP servers, etc.servers, IMAP servers, etc.
Allows the possibility for inter-Allows the possibility for inter-institution authenticationinstitution authentication
No need for N²-1 cross-realm trustsNo need for N²-1 cross-realm trusts
DescriptionDescription
Use short-term (approximately 1 Use short-term (approximately 1 day) certificates - “Junk Keys”day) certificates - “Junk Keys”
Obtain certificates securelyObtain certificates securely For Authentication ONLY! For Authentication ONLY! Use OpenSSL for creating and Use OpenSSL for creating and
signing certificatessigning certificates
Why “Junk Keys”?Why “Junk Keys”?
Revocation becomes a non-issueRevocation becomes a non-issue Private Key storage is less an issuePrivate Key storage is less an issue Certificate publication for sharing Certificate publication for sharing
is not necessaryis not necessary Certificate management is less Certificate management is less
criticalcritical
DrawbacksDrawbacks
Cannot be used for signing or Cannot be used for signing or encryptionencryption
Not possible to verify certificate via Not possible to verify certificate via LDAPLDAP
Options for obtaining theOptions for obtaining theCA’s CertificateCA’s Certificate
Bake it into browsers we distributeBake it into browsers we distribute Via a web interface using SSL and Via a web interface using SSL and
Verisign CertificateVerisign Certificate Store it in the file-systemStore it in the file-system
Obtaining CAObtaining CACertificate via WebCertificate via Web
CAApache + OpenSSL
+ Scripts+ Verisign Certificate
BrowserNetscape or
Internet Explorer Certificate
Green lines imply SSL Protected
Options for obtaining theOptions for obtaining theUser CertificateUser Certificate
Via a web-based interface [ Via a web-based interface [ SSLSSL ] ] Pam / Gina / Login [ TGT or SSL ]Pam / Gina / Login [ TGT or SSL ] Standalone program [ TGT Standalone program [ TGT (or SSL)(or SSL) ] ] Leave it up to application [ TGT Leave it up to application [ TGT (or (or
SSL)SSL) ] ]
Obtaining User Certificate Obtaining User Certificate via Web (Netscape)via Web (Netscape)
User selects URLID and password??
ID and password
• Lookup full name• Lookup Entity ID• Generate andSign Certificate
Verify identity
keyGen
Public Key
Signed Certificate
Generate key pair
and store keys
Store Certificate
Netscape Browser Web server / CA
Obtaining User Certificate Obtaining User Certificate via Web (IE part 1)via Web (IE part 1)
User selects URL
ID ??
Send a VBScriptasking foruser’s unique ID
ieReq.pl
Web server / CAInternet Explorer Browser
Obtaining User Certificate Obtaining User Certificate via Web (IE part 2)via Web (IE part 2)
password ??
ieGenReq.pl
Web server / CAInternet Explorer Browser
ID (uniqname)• Lookup full name• Lookup Entity ID• Generate VBScriptto create key pairand PKCS #10request
Run VBScript togenerate key pair
and PKCS #10 request
Obtaining User Certificate Obtaining User Certificate via Web (IE part 3)via Web (IE part 3)
PKCS #7
• Check password• Generate certificate and wrap it in PKCS #7 format• Generate VBScript to accept PKCS #7
ieTreatReq.pl
Web server / CAInternet Explorer Browser
password +PKCS #10
Run VBSript toaccept PKCS #7
Phew! Done!
Obtaining User Certificate Obtaining User Certificate via Standalone Pgm via Standalone Pgm
(Netscape)(Netscape)
public key
signed certificate
Client Machine Certificate Authority
getcert
keyutil certutil
key3.db cert7.db
• Lookup full name• Lookup Entity ID• Generate and signcertificate
Orange lines imply Kerberized exchange
Obtaining User Certificate Obtaining User Certificate via Standalone Program via Standalone Program
(IE)(IE)
signed certificate
Certificate AuthorityClient Machine
Use OpenSSL togenerate key pair public key
• Store key pair• Store certificate
• Lookup full name• Lookup Entity ID• Generate and signcertificate
Storing the CertificatesStoring the Certificates
How to destroy the certificates after How to destroy the certificates after use?use?
NT 4.0 w/SP3 and later has special NT 4.0 w/SP3 and later has special storage classes that lives only for storage classes that lives only for the life of a loginthe life of a login
Make use of Kerberos credential Make use of Kerberos credential storage?storage?
Internet Explorer vs. NetscapeInternet Explorer vs. Netscape
ProblemsProblems
Documentation - Flood or DroughtDocumentation - Flood or Drought Macintosh support lags other Macintosh support lags other
platformsplatforms
Current StatusCurrent Status
Internet Explorer (Windows only) Internet Explorer (Windows only) looks promisinglooks promising
Netscape (Windows, Solaris) do-Netscape (Windows, Solaris) do-able but not cleanable but not clean
Macintosh support does not Macintosh support does not currently look promising for either currently look promising for either browserbrowser
ReferencesReferences
This presentation:This presentation:– http://www.citi.umich.edu/u/kwc/Presentations/http://www.citi.umich.edu/u/kwc/Presentations/
X509June1999X509June1999
OpenSSL:OpenSSL:– http://www.openssl.org/http://www.openssl.org/
Netscape Security Services:Netscape Security Services:– http://home.netscape.com/nss/v1.2/index.htmlhttp://home.netscape.com/nss/v1.2/index.html
Microsoft CryptoAPI:Microsoft CryptoAPI:– http://www.microsoft.com/security/tech/CryptoAPI/default.asphttp://www.microsoft.com/security/tech/CryptoAPI/default.asp